geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy (JIRA)" <>
Subject [jira] Updated: (GERONIMO-3404) Using a Null Username allows access to a running 2.0 server
Date Mon, 13 Aug 2007 21:29:30 GMT


Vamsavardhana Reddy updated GERONIMO-3404:

    Attachment: GERONIMO-3404.patch

The problem is due to login() method in LoginModule implementations returning false incase
of a failed login whereas it should actually be throwing a LoginException.

GERONIMO-3404.patch:  Changes the "return false" to "throw FailedLoginException()" incase
of login failures.

This problem should have been fixed as part of GERONIMO-1201.  Now that this problem had surfaced,
I would suggest that we review/revise this patch and other LoginModule implementors in the
code to closely follow the JAAS Documentation

> Using a Null Username allows access to a running 2.0 server
> -----------------------------------------------------------
>                 Key: GERONIMO-3404
>                 URL:
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 2.0
>         Environment: Released on WinXP and on Linux
>            Reporter: Donald Woods
>            Priority: Critical
>             Fix For: 2.0.x, 2.1
>         Attachments: GERONIMO-3404.patch
> I was just testing the on a new WinXP machine and discovered
that anyone can administer a Geronimo server (local or remotely) if they enter a null Username
when prompted by the deploy or geronimo scripts.  I verified that the <user_home>\.geronimo-deployer
file did not exist on the WinXP machine and on a Linux box I used to verify the remote scenario....

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message